Binding Corporate Rules

Extend Your Global Privacy Strategy through Binding Corporate Rules

TRUSTe Binding Corporate Rules (BCR) Readiness Assessment is designed to:

  • Help you understand if Binding Corporate Rules (BCR) are the right step for your company to meet international data transfer requirements;
  • Map your corporate privacy program against the BCR requirements providing a clear gap analysis and recommendations on remediation to achieve compliance; and
  • Combine with APEC Cross Border Privacy Rule Certification to meet global requirements

What are Binding Corporate Rules?

Binding Corporate Rules (BCRs) are designed to allow multinational companies to transfer personal data from the European Economic Area (EEA) to their affiliates located outside of the EEA in compliance with Directive 95/46/EC. Currently, the most popular alternative to BCRs is the use of the model contractual clauses approved by the European Commission. However, in multinational companies with complex structures, there are drawbacks where hundreds of contracts may be required to cover transfers between all affiliates, and keeping those contracts up to date can be difficult and time consuming.

How Can the TRUSTe BCR Readiness Assessment Help Multinationals with Data Transfer Compliance Requirements?

With the current uncertainty over the future of U.S.-EU Safe Harbor, U.S. companies are looking at alternative routes to ensure the adequacy of their international data transfers. Binding Corporate Rules are one of the options available but companies don’t necessarily want to commit to BCRs without a clear idea of the process and costs involved. The TRUSTe BCR Readiness Assessment helps companies to quickly review whether BCRs are right for them and the necessary steps to achieve compliance with the requirements. The framework will help companies build their BCR application in a streamlined and consistent manner and assess cost implications in advance. This assessment draws on TRUSTe’s leading-edge privacy-technology solution Assessment Manager alongside experience in addressing corporate compliance around international data transfers through preparing companies to self-certify with U.S-EU Safe Harbor and as the Accountability Agent for the APEC Cross-Border Privacy Rules Framework.


Our privacy consultants can conduct a BCR Readiness Assessment, in as little as 2 – 4 weeks, to quickly give you the information you need to assess where you stand and what next steps you need to take to prepare for BCR submission.

Discovery & Assessment

We first conduct discovery of your company’s existing policies, practices, and documentation relevant to a BCR application. We also conduct interviews to identify relevant personal data flows.

In addition to information gathered during discovery, we leverage information from your existing TRUSTe Enterprise, US-EU Safe Harbor, and APEC Assessments and Certifications.

We then assess your company against our BCR Readiness Assessment requirements, based on a combination of sources including the Article 29 Working Party papers (WP 74, WP 108, WP 133) and the Referential BCR CBPR Requirements (“Referential”).

Findings Report

Our privacy experts deliver a Findings Report that includes a summary of requirements that are met along with gaps and recommended action items, broken down by priority and level of effort. This can help you determine whether to continue with preparation for the BCR submission.

Should you decide to move forward with preparation, the Findings Report serves as a project plan of clearly defined steps. This can help you effectively direct internal resources as well as outside counsel or consultants on any necessary work, so you can stay in control of the scope and budget.


TRUSTe privacy experts advise on how best to package existing documentation to streamline the BCR application process.


Several privacy compliance mechanisms are available to provide coverage across multiple regions. With some uncertainty around the US-EU / US-Swiss Safe Harbor Framework, companies are now looking to BCRs or Model Contract Clauses as potential solutions.

Each option has benefits and trade–offs that are important to weigh when selecting a mechanism that fits your needs.

Model Contract Clauses

By leveraging already approved clauses, this option provides a means of implementing some level of protectionFor many companies, hundreds of contracts may be required to cover transfers between all affiliates. Keeping those contracts up to date can be difficult and time consuming
Companies with small EU footprints may be able to execute in a short timeframeSome EU member states require registration of the use of the model contract clauses so that its Data Protection Authority can verify that the usage is appropriate
May require substantial and recurring outside counsel spend to continually review / revise hundreds of contracts, and respond to requests


Provides a sustainable framework for a range of intra-group data transfersCan be a lengthy process if there is still a lot of work to be done to implement company procedures that meet requirements
Helps achieve an elevated and consistent level of data protection compliance accountability by ensuring that all group entities work towards enhanced data handling standardsLead DPA coordinates to gain approval from individual member country’s DPA through “Mutual Recognition” agreement, but it is a process to plan for
Strengthen an organization’s brand in the eyes of customers, third-parties and regulatorsOn-going compliance reviews require maintenance time
Reduces administrative complexity of model contract clauses
More comprehensive than EU Safe Harbor
With the clear initial authorization from all of the impacted EU member country DPAs, this mechanism reduces risks of potential regulatory action

TRUSTe Privacy Professionals

TRUSTe Privacy Services are delivered by our Privacy Consultants and Privacy Services Managers, a team of recognized data privacy experts with significant experience conducting privacy assessments. Our team has a unique hybrid background of privacy, technology, business process, and project management experience. All are CIPP trained or certified, many have law degrees, and have hands-on experience working for a wide range of companies including Adobe, American Express, Citrix, Comcast, HSBC Bank, IBM, Kimberly-Clark, Microsoft, Pfizer, and many more.

Our privacy team leverages nearly 20 years experience delivering data privacy management solutions for thousands of global brands along with our comprehensive technology platform. We also have key regulatory relationships and are a leading provider of privacy services supporting regulatory and self-regulatory compliance programs for a wide range of agencies including APEC, DOC, DAA, EDAA, and FTC.

TRUSTe Technology Platform

Our Data Privacy Management Services leverage the TRUSTe Platform, a comprehensive, SaaS technology solution that provides state of the art assessment management, compliance control, and website scanning / monitoring capabilities.

Data privacy management platform from TRUSTe offering web, cloud, mobile and ad privacy solutions.